Summary

Identify and analyze project risks.

Description

Refer to the Monitor Project Risks specific practice in the Project Monitoring and Control (PMC) (CMMI-ACQ) process area for more information about risk monitoring activities.


Refer to the Risk Management (RSKM) (CMMI-ACQ) process area for more information about identifying potential problems before they occur so that risk handling activities can be planned and invoked as needed across the life of the product or project to mitigate adverse impacts on achieving objectives.


Risks are identified or discovered and analyzed to support project planning. This specific practice should be extended to all plans that affect the project to ensure that appropriate interfacing is taking place among all relevant stakeholders on identified risks.

 

Project planning risk identification and analysis typically include the following:
  • Identifying risks
  • Analyzing risks to determine the impact, probability of occurrence, and time frame in which problems are likely to occur
  • Prioritizing risks


Risks are identified from multiple perspectives (e.g., acquisition, technical, management, operational, supplier agreement, industry, support, end user) to ensure all project risks are considered comprehensively in planning activities. Applicable regulatory and statutory requirements with respect to safety and security should be considered while identifying risks.

The acquisition strategy and the risks identified in other project planning activities form the basis for some of the criteria used in evaluation practices in the Solicitation and Supplier Agreement Development process area. As the project evolves, risks can be revised based on changed conditions.

Example Work Products



  1. Identified risks
  2. Risk impacts and probability of occurrence
  3. Risk priorities


Subpractices



1. Identify risks.

The identification of risks involves the identification of potential issues, hazards, threats, vulnerabilities, and so on that could negatively affect work efforts and plans. Risks should be identified and described understandably before they can be analyzed and managed properly. When identifying risks, it is a good idea to use a standard method for defining risks. Risk identification and analysis tools can be used to help identify possible problems.

 

Examples of risk identification and analysis tools include the following:
  • Risk taxonomies
  • Risk assessments
  • Checklists
  • Structured interviews
  • Brainstorming
  • Process, project, and product performance models
  • Cost models
  • Network analysis
  • Quality factor analysis


Numerous risks are associated with acquiring products through suppliers (e.g., the stability of the supplier, the ability to maintain sufficient insight into the progress of their work, the supplier’s capability to meet product requirements, the skills and availability of supplier resources to meet commitments).

The process, product, and service level measures and associated thresholds should be analyzed to identify instances where thresholds are at risk of not being met. These project measures are key indicators of project risk.



2. Document risks.

3. Review and obtain agreement with relevant stakeholders on the completeness and correctness of documented risks.

4. Revise risks as appropriate.

 

Examples of when identified risks may need to be revised include the following:
  • When new risks are identified
  • When risks become problems
  • When risks are retired
  • When project circumstances change significantly